Slashdot Mirror
Microsoft Opens 'Transparency Center' For Governments To Review Source Code
MojoKid writes with news that Microsoft has announced the opening of a 'Transparency Center' at their Redmond campus, a place where governments who use Microsoft software can come to review the source code in order to make sure it's not compromised by outside agencies. (The company is planning another Transparency Center for Brussels in Belgium.) In addition, Microsoft announced security improvements to several of its cloud products:
As of now, Outlook.com uses TLS (Transport Layer Security) to provide end-to-end encryption for inbound and outbound email — assuming that the provider on the other end also uses TLS. The TLS standard has been in the news fairly recently after discovery of a major security flaw in one popular package (gnuTLS), but Microsoft notes that it worked with multiple international companies to secure its version of the standard. Second, OneDrive now uses Perfect Forward Secrecy (PFS). Microsoft refers to this as a type of encryption, but PFS isn't a standard like AES or 3DES — instead, it's a particular method of ensuring that an attacker who intercepts a particular key cannot use that information to break the entire key sequence. Even if you manage to gain access to one file or folder, in other words, that information can't be used to compromise the entire account.
Governments shouldn't be using closed source garbage to begin with. It just locks them into a specific company and keeps them at their mercy, not to mention that even if the government reviews the source, the public can't do the same. Not a good message to send.
Ken Thompson on trusting trust. http://cm.bell-labs.com/who/ke...
Who cares if you can look at the code? What matters is what you're running.
Looking at the code gives you nothing if you can't compile it to the exact same binary that you are running.
And even if they let you do that... you still need to trust the compiler, and the compiler that compiled that compiler, etc.
Perfect Forward Secrecy? Why not call it Excessive Hubris Before Fuckup? Eventually something is going to be more "perfect" even if the thing is quite good.
As plain text on a US branded OS at the end of the fancy new encryption.
With all the legal obligations in the telco sector all products have to be wiretap-friendly.
CALEA obligations should be very clear to the rest of the world by now. The options presented under CISPA should have been noted too.
Your email, video chat, text, chat will end up as a neat industry standard format for law enforcement use. There will be no going dark on any US product shipped.
"FBI: We need wiretap-ready Web sites - now" (5 May 2012)
http://www.cnet.com/au/news/fb...
Domestic spying is now "Benign Information Gathering"
Don't force bloatware on hapless customers. XP was 1.2GB. XP with SP2 was about 2GB. XP with SP3 is about 7GB. And now Microsoft claims XP is so insecure it cannot be patched anymore, so customers have to buy a new OS which weighs in at 20GB.
Cut all the crap and come clean. Release the entire source code for XP if you are not going to patch it. Or keep quiet and prepare to be unbelieved even if you speak the truth.
If you keep throwing chairs, one day you'll break windows....
>> a place where governments who use Microsoft software can come to review the source code
Where's the proof that the source code you see is exactly the same as that which gets compiled to make the Windows you buy?
Also does anyone else find it as highly suspicious as me that this center is only open to governments?
So.. Microsoft let governments of the world look at the source code at your special center, and then double-dog-swears that there's nothing fishy going on between then, and compiling the source code, like say a patch applied somewhere in the build process? Riiiight.
If you WERE to put a backdoor in, that's probably how it'd be done. Would you really want a backdoor explicitly in the code for a developer to find? Of course not, you'd put in something only a few people know about. The secret to secret keeping is limiting the amount of people who know.
The other way to hide the backdoor is to make it a hard to find bug. Plausible deniability is quite high.
I have to believe this is good news though. It means a lot of foreign governments are suspicious of closed source software, to the point where Microsoft has had to announce a plan to make their code however less closed source.
AccountKiller
This is nothing more than security theater. We know of the NSA_KEY in Windows 95. All they need to do is to give Microsoft an NSA letter to install backdoors and they will do so. Just like Google and everyone else. I am surprised that anyone would fall for this.
That is a great PR move, since the US government has recently been as effective as the New Coke campaign at promoting US companies abroad.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
So governments can review Microsoft source code for back doors, great.
But:
1/ How can observers know that the source code shown results in the compiled binary sold.
2/ How can observers know that when compiled the compiler does not introduce vulnerabilities.
3/ Would not a malicious observer use the knowledge of the source to look for vulnerabilities for their intelligence agencies to exploit later.
4/ As a private citizen how can I be assured of or against all the above if I and a number of expert friends cannot also look at the source.
This is why I now only use open source.
BTW Microsoft already lets the US government look at its source code for "security assurance reasons", and of course nobody shares that information with the NSA do they.
It does not matter of you can't take that source code and compile it yourself.
Its the old crypto hardware trick. You can look at all the messages as sent you like. Its encryption perfection for that decade/generation. :)
The plain text is from the tempest (emission security) friendly keyboard.
The only magic is getting your gov to buy the system and then use it for years
ie buying the system is the way in. Every trapdoor and backdoor is crafted around what the buyer might be aware of.
Domestic spying is now "Benign Information Gathering"
Regarding your last point, are they actually suspicious of closed source, or just suspicious of US based companies? And are they actually suspicious or just claiming suspicion as a front for a trade barrier? A Transparency Center might not need to actually placate suspicion, it may simply need to counter a hostile talking-point.
To give some context into user's response to Microsoft's products, Windows 8 market share just decreased. Comparative figures showed that Windows XP share went up. That's right, the just discontinued OS is doing better then they current system.
I can't help but point that this is one of a painful series of mistakes that all happen when Ballmer was in charge. The question for the future of Microsoft is whether he was in command so long that they will never recover.
Why is Snark Required?
Never give anyone so much as a glimpse of your source code unless you are writing open source software and you are part of an open source program. It's just not clever for a business person to do. You are throwing away the crown jewels! Let them guess. Let them “eat static.”
The purpose of existence is to make money.
Who the hell is going to sit down and scan a few million lines of source code with Microsoft looking over your shoulder and hope to spot a backdoor or two in the process?
Even then, how can you be sure that the source code they show you is the stuff you're actually running?
What a PR stunt this is!
1. Government shouldn't use anything proprietary and the US should follow its own rules (AMD exists because gov't rules requirements, why not Microsoft compatible-competitors?)
2. Vendor lock-in always leads to over-pricing and government waste (also, see #1)
3. Microsoft did a deal with the devil (US Government) and now wants to regain trust. Sorry Microsoft. Not going to work.
And did anyone miss the work facebook has been doing with government? Holy crap. Not only is their censorship completely to the left, they are conducting psych experiments at the request of the US government. I personally avoid the social networking sites and [almost] always have.
(I have used LinkedIn due in no small part to my previous employer reducing its staff by over 90% Oh yeah, now I can talk about it too! Turns out the Fukushima incident and subsequent lies, deception, inaccuracies and omissions run pretty deep and even found its way to my former employer, a Mitsubishi company. Anyway, LinkedIn... i was checking that from my mobile device and it made mobile pages unusable through CSS and insisted I use an app. I loaded the app and agreed to whatever and the next thing I knew LinkedIn grabbed my whole addressbook and pulled it into their servers. I can't say whether they used the data to spam others, but I can say they used it to "suggest links" to my profile. That's pretty dirty and disgusting.)
Trust is a difficult thing these days... a fragile thing. And I hope companies everywhere, large and small, learn that lesson. They can learn the hard way or they can be good and decent people asking themselves "would I want someone doing this to me?!" (Just like government gun confiscation -- the answer is NO. The government wouldn't allow the citizens to take their guns, so why should the citizens allow government to take theirs?) Of course, too few people care about golden rules of morality because the world is run by psychopaths. Psychopaths think they can just buy trust. That may have been true, but the pendulum has reached its furthest point and is about to swing back the other way. Microsoft and others are only now figuring that out.
End-to-end encryption has a defined meaning. Transport Layer Security is not end-to-end encryption. TLS encrypts a single link in the chain of systems which handle email. At each point, the mail emerges unencrypted. In particular, mail is stored unencrypted at each mail hosting provider (or if it is stored encrypted, the mail provider has to have the keys and is thus vulnerable to exploits and government intervention). End-to-end encryption does not expose the mail unencrypted to any point between the initial sender and the final receiver. End-to-end is what keeps the spooks out. Wonder why Microsoft wants to erode the meaning of the term.
For smaller governments, below he the bottom three or more, you would be quite right. In total though, they have to trust whatever the fuck they use.
And it wouldn't matter even if the NSA didn't have the keys. Microsoft's ridiculous claim of end-to-end security is just throwing TLS around one of the connections -- which should have been there from day one anyhow, especially since they already require proprietary code to run at each end of the connection!
Imagine a courier handcuffed to a briefcase, but he takes off the handcuff and rifles through the briefcase every time he sits down. It defeats the *entire* purpose, by design. Use PGP (GPG), people. If your message *ever* touches a cloud unencrypted (which it does with Outlook.com), you may as well just publish it.
This is nothing but a feel-good publicity stunt, designed to offset international suspicions that Microsoft works a little too closely with the NSA.
Pick your favorite product: Windows 7? Office? SQL Server? IIS? It doesn't matter, you are talking about millions of lines of source code. No government, or government contractor will have the expertise, time an money to analyze such a mass of code. They will be utterly dependent on Microsoft to point them to the core routines responsible for whatever they're interested in. Say, email encryption.
However, there is no way they will be able to verify that the code provided is really the code used, than no code called before or after it compromises the security, etc, etc.. It is also unlikely that they will update or repeat the audit with every new release, patch or update of the product.
Microsoft must be feeling the pinch - a few too many international contracts being cancelled...
Enjoy life! This is not a dress rehearsal.
Microsoft is still operating under NSL restraints. That means the NSA has the keys anyway.
TLS doesn't work that way, the implementation trusts, and uses, whatever keys it's told to trust (via certificates). And that's the problem, while most implementations will allow you to manage your own certs, for example by creating self-signed certs, the Windows implementation will only trust certs from commercial CAs. You know, Diginotar, Trustwave, Comodo, those sorts of guys. So you can't just generate and manage your own keys and certs but are forced to pay, and trust hundreds of external CAs to manage your certs (and by extension keys) for you.
The summary's description of PFS is a complete clusterfuck, of course (this is /. so *obviously* the summary is going to be technically inaccurate, right?). Yours (LordLimecat) is more accurate, but the full concept isn't that hard so I'll explain it below.
First, some quick basics of TLS (I'm leaving out a lot of details; do *NOT* try to implement this yourself!):
Here's the scenario where PFS matters, and why it is "perfect":
Here's where it gets interesting:
It is this property, where the secrets needed to recover an encryption key are destroyed and cannot be recovered even if one party cooperates with the attacker, which is termed Perfect Forward Secrecy. Note that PFS doesn't make any guarantees if the crypto is attacked while a session is in progress (in this case, the attacker could simply steal the symmetric key) or if the attacker compromises one side before the session begins (in which case they can impersonate that party, typically the server). It is only perfect secrecy going forward.
There's no place I could be, since I've found Serenity...
Microsoft is giving other governments the possibility to install their own backdoors by cooperating in special "transparency centers", provided they pay for it and are buying enough Microsoft products instead of switching to open source alternatives.
M$ is loading their product with spyware for these guys - this is a non-story...
They'll hopefully also provide a full build environment to enable reviewers to rebuild the binaries from the vetted sources and compare them to the distribution binaries. As in the truecrypt analysis shown here: https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/
And then there remains the question if the build environment can be trusted as shown in kens hack: http://cm.bell-labs.com/who/ken/trust.html
For highly reliable code, knowing that the code you review is the code you compile with is vital both for stability and security. This can't be done by visual inspection: it requires good provenance at every stage of the game.
This is actually a security problems with many opensource and freeware code repositories. The authors fail to provide GPG signatures for their tarballs, or to GPG sign tags for their code. So anyone who can steal access can alter the code at whim. And anyone who can forge an SSL certificate can replace the HTTPS based websites and cause innocent users to download corrupted, surreptitiously patched code or tarballs.
I'm actually concerned for the day that someone sets up a proxy in front of github.com for a localized man-in-the-middle attack to manipulate various targeted projects.
Just like with "wired equivalent privacy" that we laugh at now? I'd say both have the stench of marketing and excessive hubris.
By itself, that doesn't create a backdoor, but anything compiled using the tainted binary could potentially have a backdoor secretly added, even though the source code for both that code and the compiler would appear to be perfectly clean.
...And solutions against this do exist:
A. Deterministic building.
All software were security is important (Tor, Truecrypt, Bitcoin, to mention a few who practicise this approach) have clear procedures designed to compile a binary in a perfectly repeatable form. A rogue compiler would be easy to detect, because it won't create the same binary as everybody else.
B. Comparing compilers.
Use a small collection of different compilers (a few version of GCC, a few other of LLVM, etc) to compile a compiler whose source you trust (say, a security-reviewed and approved GCC 4.9).
From this point on, you can already compare the output of each of these "GCC 4.9-as-compiled-by-other" by compiling a few test code and see if they matches. Look if any of the test codes has backdoors injected.
- Now you already know which compiler you can trust
Then use that compiler (I mean the multiple versions produced by the various compilers of the first step) to bootstrap it self (you end-up with several version of "GCC 4.9 as compiled by GCC 4.9", each with a different starting point).
Normally all these last step compilers should be more or less similar (see "deterministic" building to reduce the amount of random differences). A rogue compiler will notably stand out.
- Now you have trusted environment, compiled by a trusty compiler.
Seems complicated, but as I've said, people in critical niches (Tor, Truecrypt, Bitcoin) are already doing exactly that.
That raises tremendously the bar of what the governments need to back-door software (virtually any modern compiled need to be compromised, as well as numerous tools around them. Forget one obscure thing somewhere, and someday a researcher or hobbyist will notice discrepencies)
I think most of us are already familiar with this sort of attack, but it's worth repeating, since it's exactly the sort of thing that Microsoft's "Transparency Centers" don't address, and exactly the sort of thing we'd be expecting a government to be doing.
Yup. The first most important thing is to determine a clear procedure how to take the official source and rebuild the same binaries that everybody is having.
(i.e.: you should be able to check out the source, hit recompile and end-up with an installation CD that is indistinguishable from the retail one. So you know you're actually check the real source, and not some decoy put here for you, while a different backdoor-infested version is getting distributed to your government).
And as you say that excatly NOT what microsoft is doing.
Also, having only 2 centers world-wide, where only government mandated devs are invited severly limits the research exposure of the code.
I'm ready to predict that the only real results will be.
- Big security people who don't happen to be sent by a government won't have a look at the code, and probably several shortcomings will never get seen. The end result won't be as secure as if you let the OpenBSD devs create a LibreDows(*) fork with a "Valhalla Rampage" treatment on it.
- Some black hat will manage to slip through the checks, leak the source. It will get passed around on under ground dark nets, and the next week you'll see an abominable explosion of 0-day exploits traded on the shadiest parts of the net.
---
(*): Only works when built on system with massive security counter-measures in their default C library. Like OpenBSD. Secured wrappers provided for Linux (those blissfully ignorant people). Go fuck yourself if you use some outdated os like old-school VMS (pre OpenVMS). Or if you use an outdated compiler like Visua... Oops. Damn!
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The main advantages of free/libre open-source software is:
- source is available to review and hack upon for a WAY MUCH LARGER audience. It's "a few security reviewers cherry picked by a government" vs. "virtually anybody who has the time and resource to invest in it".
So you have a bigger pool from which to pick somebody who "is going to understand everything at every layer", or at least understand big enough parts of it, at a large enough number of layers, with enough overlap with the other "somebodies".
- the whole echo system is open. You can review lots of other stuff (compilers, libraries, etc.) You can have deterministic building to check if you really have the code that really produced the official binaries (that's already something that Tor, Truecrypt, Bitcoin, etc. are doing).
There's lot of things that you can do to check every piece of software that you need to trust.
Well of course, that's a lot work required. So in the end, you'll end up having to trust multiplt other people anyway. But at least, with opensource, that's a choice, and in any case you can do the checks your serlf (or more reallistically: ask someone you actually trust to do it for you. As in the current ongoing review of TrueCrypt, for example).
Whereas, no matter how motivated, with closed source software you'll always hit a wall. (Well microsoft gives you a peek at the windows code, but not necessarily all the rest needed to check full security).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Ah, yes. Once again, Microsoft has their own special idea about how to extend a standard. Said like a true Microsoft employee (or paraphrased by someone with a strong reporting bias -- it doesn't seem to be phrased in this way in the original Microsoft post about encryption and transparency).
Ask me about repetitive DNA
"Microsoft isn't implying that. They trying to convince customers they don't have NSA backdoors."
Yes this smells more like a PR move than anything else. Any government serious about security will roll out its own software stack, which unlike hardware costs practicallly nothing after the initial development. This will limit the attack vector to rogue chips.
...and just run on top of the Linux open source stack. Leave the kernel and security to the seasoned experts in the open source community. Contribute to Wayland or run your own graphical subsystem. (It can be closed source, not everyone is an opensource zealot.).
IMO the windows desktop is all anyone cares about - port it to Linux.
I don't see a problem with this.
Microsoft's hostile takeover of the NoIP domains is still causing massive outages worldwide. Somebody needs to take Microsoft to task for this, and this: Windows is still the operating system of choice for most malware authors. Also, TLS is not end-to-end email encryption. Outlook.com still leaks reader information through tracking images. Windows 8 still sucks.
M$ will probably charge a fee for providing that service!
By step-tracing it thru a compiler & testing data to break it, vs. using a kernel mode debugger or fuzzing on closed source code: That's a FACT (try it yourself sometime - you'll see). Thus, closed source IS more secure.
Lastly, despite "all those eyes" on open SORES (the majority of whom can't code period mind you), you have holes in gnuTLS, and ANDROID exploits exploding daily on it speaks WORLDS of the "security of Linux" & yes - ANDROID = a Linux variant.
APK
P.S.=> Give up the ghost on this b.s. "Pro-*NIX" fans - it's not working anymore - we heard it for YEARS to a DECADE++ around here, & now? You have, what you have, & it puts the years of "Windows != Secure, Linux = Secure" FUD b.s. into the crapper - period...
... apk
And have source code of their tuesmonthly patches available?
If no, than this is rubbish and only idiots will get the bait (i.e. 99% of government's 'specialists').
Microsoft's motives are obvious. Other nations are adopting open-source, because nothing is hidden, and Microsoft is saying "me too." Microsoft is just trying to stop other countries from adopting open source.
Problem is: as soon as you start trusting Microsoft, Microsoft will pull the 'ol switcheroo. Then once Microsoft has you vendor-locked: it's problem solved - for Microsoft.
Microsoft's basic strategy has been the same for decades. Anybody who trusts Microsoft at this point is an ignorant fool.
I've been thinking about this whole security issue be it residential, commercial, government or other ...
The problem I see is that there is hardly any negative impact on the source of the breach, be it Microsoft's code, the incorrect implementation of their products, lack of diligence on IT departments, etc.
Recalling the Target hack, accusation from Congress that China hacked some computers, other major incidences, I don't see where those armed with hoes and rakes and torches are storming the source in an effort to identify culpability.
If this keeps up, it might be a boon to the United States Postal Service (and equivalent in other countries), fax machine sales, and mechanical credit card readers, as we begin to switch back to proven, low-tech solutions.
It little behooves the best of us to comment on the rest of us.
The secret to secret keeping is limiting the amount of people who know.
Not much of a secret now, is it?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
It's a good PR attempt, to address what they must perceive as a significant problem, but...
Good luck convincing companies to trust your cloud infrastructure with their data, when they know for a fact that the US government (and probably other governments) could compel you to grant them secret access at any time, regardless of whatever client-access protections are in place. If MS could solve that massive security flaw, I'd be impressed; anything less is just polishing the proverbial turd.
The other way to hide the backdoor is to make it a hard to find bug. Plausible deniability is quite high.
Reading a huge codebase is an unlikely way to spot backdoors anyway. After a few thousand lines the reader's eyes would glaze over, and anything subtle would be missed. This isn't as easy as looking for two-digit year fields a la Y2K reviews.
Besides, the Heartbleed bug should have been a clue that open source alone doesn't make security issues "transparent". Somebody has to both read and understand the code to detect these things, and an OS like WIndows is so huge that nobody can understand the whole thing. Even a relatively small, specialized module like OpenSSL slid by for years without anybody noticing the problem.
Have you read my blog lately?
How about you be transparent about how you believe the owners of no-ip are responsible for your own software being vulnerable and how it causes you undue network issues. Then you can also let us know how many Azure hosts and Hotmail/Outlook.com email accounts are also responsible for worldwide issues, also due to your software being vulnerable.
Buck Feta. You know what to do.
Unless they let you compile your own binaries and distribute them, this is utterly useless.
:-)
No text.
"Flyin' in just a sweet place,
Never been known to fail..."
If it's the government's job to review code, why not use OSS and have control as well as peace of mind? If they have experts capable of reviewing/understanding code, then wouldn't it be more productive to be using OSS so they could make changes that benefit themselves? Or BSD so they could own the solution? Being forced to review code to make sure it's safe pretty much eliminates the benefit* of the closed source software anyway.
*The benefit being that someone else is supposedly reliably curating the code for you, and you pay for that service
Twinstiq, game news
Unless governments can rebuild the released version of Microsoft products with said source code, they'll be fed a sanitized version of that source code, but not the original full code base needed to build the final binaries. Backdoors could still be added later at build time, so what's the point?
cpghost at Cordula's Web.
How to we really know if the code seen in the "Transparency Center" is the same used for the build in the product you're worried about? Yeah, maybe my tin-foil hat's a little snug, but this has been an interesting year of finding out that the hats were warranted in the first place.
How do we know there aren't unseen CA's from our favorite TLA's which are also trusted?
Yep, that's exactly where I'd put it. Makes it harder to find. If you put it in a later patch, then you're telling the reviewer exactly where to look for it.
Hey, it worked on OpenSSL.
On trusting trust - K. Thompson, Bell labs. A classic.
Help stamp out iliturcy.
I was giving an example of a name that became inappropriate and reading between the lines beyond that is a fools game.